<div dir="ltr"><div><div><div><div><div>I have seen multiple instance of users authenticating from an Android device to a Solaris based NAS with ZFS file system. I have reproduced the issue myself with OpenIndiana and OmniOS (both open source), the latest version of Oracle Solaris 11.1 dosen't suffer from the same problem.<br>
<br></div>I have spent some time looking into it and found out that most (if not all) android app with SMB support use JCIFS. I also found one android app: Total Commander, had a work around for older NAS that made it work with my OI NAS.<br>
<br></div>This workaround is:<br><br>jcifs.Config.setProperty("jcifs.smb.client.useExtendedSecurity", false);<br>jcifs.Config.setProperty("jcifs.smb.lmCompatibility", 0); <br><br>0,1 -- Sends LM and NTLM responses.<br>
2 -- Sends only the NTLM response. This is more secure than Levels 0 and 1, because it eliminates the cryptographically-weak LM response.<br>3,4,5 -- Sends LMv2 and NTLMv2 data. NTLMv2 session security is also negotiated if the server supports it. This is the default behavior (in 1.3.0 or later). <br>
<br></div>So it seems fair to assume that most today's would use LMv2/NTLMv2.<br><br><br></div>On the Solaris side now, both OI and OmniOS are distribution based on illumos (<a href="http://wiki.illumos.org">http://wiki.illumos.org</a>).<br>
<br></div>From the manual I found the following:<br><div><div><br>lmauth_level<br><br> Specifies the LAN Manager (LM) authentication level. The LM compatibility level controls the type of user authentication to use in workgroup mode or domain mode. The default value is 4.<br>
<br> The following describes the behavior at each level.<br><br> 2 In Windows workgroup mode, the Solaris CIFS server accepts LM, NTLM, LMv2, and NTLMv2 requests. In domain mode, the SMB redirector on the Solaris CIFS server sends NTLM requests.<br>
<br> 3 In Windows workgroup mode, the Solaris CIFS server accepts LM, NTLM, LMv2, and NTLMv2 requests. In domain mode, the SMB redirector on the Solaris CIFS server sends LMv2 and NTLMv2 requests.<br>
<br> 4 In Windows workgroup mode, the Solaris CIFS server accepts NTLM, LMv2, and NTLMv2 requests. In domain mode, the SMB redirector on the Solaris CIFS server sends LMv2 and NTLMv2 requests.<br>
<br> 5 In Windows workgroup mode, the Solaris CIFS server accepts LMv2 and NTLMv2 requests. In domain mode, the SMB redirector on the Solaris CIFS server sends LMv2 and NTLMv2 requests.<br><br></div>
<div>What am I seeing:<br><br></div><div>From an app perspective the issue is that the password is refused (Bad password).<br>I then fired up wireshark and put myself in between my NAS and my Nexus7 tablet.<br></div><div>
>From a network perspective here is what is happening:<br><br></div><div>Bit of background info: In wireshark and SMBv1:<br>LM hash is named: ANSI Password, (CaseInsensitive hash)<br>NT hash is named Unicode Password. (CaseSensitive hash)<br>
<br></div><div>On a standard Android APP (using JCIFS) here is what I see:<br></div><div>NT Create AndX Response contain the ANSI Password: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX (24 bytes length)<br></div><div>This FAIL.<br><br>
</div><div>On total commander in "compatiblity" mode I see:<br></div><div>NT Create AndX Response contain the<br>ANSI Password: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX (24 bytes length)<br></div><div>Unicode Password: YYYYYYYYYYYYYYYYYYYYYYYYYYYYYY (24 bytes length)<br>
</div><div>This WORKS<br></div><div><br></div><div>In addition my Windows 8 machine use the following:<br></div><div><div>NT Create AndX Response contain the<br>ANSI Password: 000000000000000000000000000000 (24 bytes NULLs)<br>
</div><div>Unicode Password: YYYYYYYYYYYYYYYYYYYYYYYYYYYYYY (24 bytes length)<br></div>This WORKS</div><div><br></div><div>For reason I don't understand it seem that by default when JCIFS authenticate with my NAS, it sends only the LM(v2?) Hash.<br>
<br></div><div>When I use total commander compatiblity it sends the LM + NTLM hash, and that works.<br><br></div><div>Where I gets confused is that OI/OmniOS/Illumos fully support LM/LMv2/NTLM/NTLMv2.<br><br></div><div>I have tried to lower the lmauth_level on illumos so it allow LM hash but without success. (Still fail).<br>
</div><div><br></div><div>Anyone has an idea why JCIFS would send just a ANSI Password (LM hash) by default?, and more importantly why it would fail?<br></div><div><br></div><div>I will also try to find idea on the Illumos mailing list.<br>
</div><div><br></div><div>Thanks everyone.<br></div><div><br></div></div></div>